Rootkits may be programs that use system hooking or modification to hide files, processes, registry keys, and other objects in order to hide programs and behaviors. Rootkits may attempt to take control of a computing device without the device owner's authorization. Rootkit code may have the ability to bypass security applications and tools used to discover the existence of intruders and malicious programs.
Rootkits can be difficult to detect and remove. Security software companies have implemented various technologies to detect and remove rootkits. For example, security software may use volume mapping technology to discover rootkits. The security software may compare a directory listing at the operating system level with a directory listing made by interpreting a master-file table. Differences between the two listings may suggest that a rootkit is present on the device.
For example, if WINDOWS EXPLORER shows two files in a directory and a volume mapping service (e.g. VxMS) shows four files in the directory, the additional two files may be cloaked. The cloaked files may be analyzed to determine whether they are part of a rootkit. If the files are part of a rootkit, the rootkit may be removed.
Some new rootkits are designed to evade detection by even the most advanced security software, including security software that implements techniques using volume mapping. These rootkits may evade detection by stealthing the volume. When rootkits go undetected, they may be able to collect confidential information such as user identification data, account numbers, and passwords. Furthermore, ready-to-use rootkit applications may be widely available on the Internet, giving inexperienced hackers the ability to use a rootkit without having to understand how it works. What is needed, therefore, is a more robust way to detect the presence of a rootkit on a system.